A Study of Ransomware Detection and Prevention at Organizations

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

A Study of Ransomware Detection and Prevention at Organizations Saurabh Kumar Sen1, Nidhi Chourey2 Saurabh Kumar Sen, Department of Information Technology (Cyber security), Vikrant Institute of Technology and Management, Indore (M.P) India. Nidhi Chourey, Professor, Dept. of Information Technology, Vikrant Institute of Technology and Management, Indore (M.P) India. ------***------Abstract - Today ransomware has a serious threat to But, a ransomware attack in two ways. It either locks the the online world. Most of the software firms, universities, computer screen or encrypts certain records with a companies, and organizations in the world are trying to secret passwords. take alert decisions to save from ransomware attacks. A The ransomware is partitioned into two types: Lock joint statement was issued by both governments of the Screen Ransomware and Encryption Ransomware United States and about ransomware attacks insistence users to stay alert and take precautions. Recently on May Lock screen ransomware locks system and demands a 19th, 2017, the Swiss government observed the ransom for letting you access it once again. The second Ransomware Info Day, to spread awareness regarding type, i.e. the Encryption ransomware, modify the files in ransomware and its effects. Ransomware in India as well your system and demands a ransom to decrypt them is on the rise. again. The other types of ransomware are: Even expert computer users can be hit and be afflicted by ransomware attacks. In this case, awareness is very 1. Master Boot Record (MBR) ransomware. beneficial [8]. This study lays the foundation for additional 2. Ransomware encrypting web servers. research to find solutions to the ransomware attack problem at organizations. IT security experts and 3. Android mobile device ransomware. Researchers are aware of chart representations to depict 4. IoT Ransomware. cycles. This paper puts the problem that is faced by organizations on similar representation to show the work Microsoft distributed information specifying how of ransomware. Through combining research, illustrating numerous machines (clients) were influenced by the personal experience of a ransomware attack, Cyber ransomware assaults over the world. It was found that Security tool experience and graphically representing the the United States was on the best of Ransomware work of ransomware, society at large will be better assaults. Here are the top 20 countries that are majority informed about the risk of a ransomware attack. affected by ransomware attacks. Countries Machine count Key Words:- Ransomware, Vulnerability, Malware, U.S 320948 Encryption, Decryption, Wannacry, Eternal Blue, Italy 78948 Machine Learning, Symantec, Trend Micro. Canada 45840 U.K 38068 1. INTRODUCTION Spain 35992 Turkey 32714 A Ransomware is a type of malware that locks your files, Australia 25949 data or the pc itself and extorts money from you to Brazil 24953 provide access. This can be another way for malware Taiwan 20448 developers to 'collect funds' for their ill-conceived Germany 19984 Republic of Korea 19842 exercises on the web. Once ransomware contaminates a Netherlands 18594 network device, it begins scrambling records, organizers, Mexico 16525 and whole hard drives partitions utilizing encryption Russian Federation 13980 algorithms like RSA or RC4. India 13783 Types of Ransomware attacks Korea 13347 South Africa 10830 Ransomware used to display a message or Readme text Romania 10220 stating that the user has done something criminal Japan 9738 activities and they are being fined by the police or the government agency based on cyber policy. To get rid of these false 'charges', users were asked to pay these fines.

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

Examples: Table 1: The list of ransomware families, different families and Propagation Strategies. 1. Advanced ransomware like Spore, WannaCrypt (moreover known as WannaCry). And Petya PROPAGATION (moreover known as NotPetya) spread to other FAMILIES STRTEGIES computers through network shares or exploits. Spora drops ransomware duplicates in WANNACRY Samba Vulnerability organizing shares. SHADE Spam Email 2. WannaCrypt abuses the Server Message Block (SMB) Powerlessness CVE-2017-0144 (too Word Document called Eternal Blue) to contaminate other JIGSAW with Javascript computers [10]. 3. A kind of ransomware family petya exploits the SATANA E-mail Attachments same vulnerability, in addition to CVE-2017- Link in an E-mail 0145 (also known as Eternal Blue), and stolen indicating to be a job credentials to move across networks. PETYA application Older ransomware like Reveton locks screens rather Compromised than scrambling files. The attacker shows a full-screen websites and e-mail picture approximately ransom attack and disable Task CERBER attachments Manager. During this, Records are secure but viably blocked off. The picture contains a message claiming to CRYPTOMIX Spear phishing Email be from law requirement that illuminates the computer CTB-LOCKER Email attachments has been utilized in unauthorized cybercriminal activities and must be paid. Because of this, Reveton is Compromised nickname "police Trojan" or "Police ransomware". websites and email Ransomware family-like Cerber and Locky encrypt TELSACRYPTO attachments specific file types, typically media and document files. Compromised After completion of encryption, the malware displays a websites and e-mail ransom note using text, image, or an HTML file with the FILECRYPTO attachments information to pay a ransom to decrypt files. Compromised Awful Rabbit ransomware was found endeavoring to websites and email spread over systems utilizing hardcoded usernames and CRYPTOWALL attachments passwords in brute force attacks. Compromised

websites and e-mail APPEARED YEAR CRYPTOLOCKER attachments GpCODE Email attachments 2018 2016 Accused of illegal 2014 REVETON activities 2012 2010 2008 In India, around 67 percent of the surveyed entities were hit by ransomware last year. Around 37 incidents of ransomware attacks were reported to the Indian Computer Emergency Response Team (CERT-In). Of these, 34 incidents were found of WannaCry and Petya ransomware. WannaCry ransomware attacks were to Figure 1.Ransomware attack with appeared year begin with Detailed on 12th May 2017 and Petya on 27th June 2017. Note that add up to no. of ransomware Above appeared ransomware families have different occurrence has been detailed to CERT-In within the propagation strategies. The propagation strategies are past: the way and method of ransomware propagation in a particular organization. Below the table of ransomware  2015:2 propagation strategies.  2016:26  2017 (till June):37

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

More than 27,000 cybersecurity risk occurrences within preventing the specific payload of ransomware from the to begin with half of 2017 alone detailed by CERT-In entering the computer... [3]. These incorporate extend of threats like phishing Machine learning algorithms for ransomware attacks, websites intrusions and defacements or harms identification can be used as a proactive method for to information as well as ransomware attacks. As per combating ransomware threats, regardless of whether CERT-In's data, the number of cybersecurity incidents they are designed for PCs, mobile devices or even IoTs. reported in the past 3 years: The main advantage of machine learning is that it can be  2017:44,679 used as a tool to increase established safety layers, giving  2015:49,455 them proactivity, effectiveness and efficiency.  2016:50,362 Ransomware remains here: protection is the same. It is  2017 (till June): 27,482 highly unlikely that ransomware will soon go away, Machine learning particularly because digitalization has resulted in increased interconnectivity between systems. With a Machine learning is a form of artificial intelligence (AI) proven and tested business model and financial gains in which gives systems the ability to learn and improve the billions of dollars, ransomware is likely the biggest automatically from experience without explicit mass-market threat to both end-users and organizations. programming. ML focuses on designing Scripts, However, machine learning algorithms can augment all computer programs that are able to access and use data security layers to detect and plug threats at pre- to think for themselves. execution, on-execution, and post-execution, making The method of learning begins with observations or ransomware less of threats and more of a nuisance. information, such as cases, direct experience, or instruction, to search for designs in information and 2. LITERATURE REVIEW make better choices within the future based on the cases that we offer. The essential point is to permit the According to the review literature about Ransomware, a computers to memorize consequently without human brief history of how it works developed and some mediation or help and adjust activities appropriately. popular stories from an Organization that is infected with ransomware malware and related information. For Where conventional file-based security detection three years, the number of organization victims being technology fails, machine learning algorithms succeed targeted by ransomware is increasing. When it attacks neural networks and profound learning algorithms can any organization, first it spread in the network, slowly detect unknown ransomware samples when properly encrypts files and demands large amounts of money to trained and modified to produce a small number of false restore encrypted files. But practically impossible to positives. Enhance cloud-based detections with machine reverse the encryption or crack the files without the learning and genetic algorithms are also effective in original encryption key. resist the excessive growth of ransomware caused by its polymorphic behavior. Prominent Research Work A major benefit of using machine learning models to spot According to the comprehensive review of previous ransomware is that it increases the number of possible research work. ransomware files it can detect, if enough ransomware 1. A brief study of wannacry threat: Ransomware features are presents in an unknown ransomware attack 2017. The focus of paper on the wannacry sample, the file is likely ransomware. attack 2017, it explains about wannacry The second benefits are that machine learning models ransomware threat. are extremely small, usually, around 1 kilobyte, which 2. Detection and Avoidance of Ransomware makes them easy to deploy across the entire user base. (2017).This paper focus on detection and avoidance The only drawback of utilizing machine learning models method for ransomware attack to reduce damage. to identify ransomware is that they have to be broadly tried before deployment to maintain a strategic distance 3. Ransomware: A research and a personal case study from inaccurately labeling clean records as malicious. of dealing with this nasty malware-IISIT.ORG (2017) A few machine learning algorithms can indeed recognize 4. Ransomware for the Internet of things-ARNE suspicious URLs that are either utilized to spread MAXIMILLIAN KAUL. (2017 ransomware or act as command and control servers. 5. Detection and Prevention of Crypto-Ransomware- Using Natural Processing (NLP) algorithms and different Daniel Gonzalez Fordham center Cybersecurity, clustering methods to decode texts, they can prevent Fordham University, New York, NY, USA (2017). victims from accessing new or unknown connections,

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

6. Experimental Analysis of Ransomware on Windows WannaCry recently attacked for money, as they asked for and Android Platforms: Evolution and ransom in return for decryption keys, but later Petya Characterization (2016). The focus of the paper is on encrypted and deleted all data. ransomware families evolved in windows and Table 2: Affected Organisation sector in India android environments. We analysis of ransomware families, focusing on their evolution and characterization. Organization sector Affected Services 38% 7. A Novel method for Recovery from Crypto- Ransomware infections. (2016)Using the crypto- Manufacturer 17% ransomware method not only covers prevention but Public Administrative 10% also focuses on how to recreate the files. Using Lock, Finance, Insurance & Real Tesla Crypto and CTB locker successfully infected Estate 10% the system and easily and automatically be restored Wholesale Trade 9% and encrypt the data. Disadvantage- the local hard Transportation, drive would become unusable or damaged on the file Communications & Utilities 7% system level; the proposed method will not work without first repairing the structure of the damage. Retail Trade 4% 8. Detecting Ransomware with Honeypot techniques. Construction 4% (2016).These research techniques to implement a Mining 1% honeypot to detect ransomware activity. When activated, Agriculture, Forestry & Fishing 1% the research produced a staged response to attacks on the device along with thresholds. Disadvantage-there is no guarantee the malware would attempt to invade Problems occur during attacks: these areas, and a honeypot free from attack alerts is not 1. Productivity loss during downtime: 50 percent an indicator that other areas are not being targeted. 2. Corporate revenue generation per hour: $24,000 Motivational Approach 3. 21 hours of downtime until full recovery In the last five years, most Organizations were affected by a ransomware attack all over the world. In India, Ransomware attack effect on organizations: several companies in the cities of Mumbai, Hyderabad, 1. 50 per cent risk of workers experiencing loss of Bengaluru, and Chennai were also affected. These cyber- productivity attack dangerous for the digital world, which motivates me for Risk analysis, malware detection, prevention, 2. 30 per cent chance the company will temporarily troubleshooting at organizations with the help of shut down Security tools and Machine learning technology. So, a 3. 20 per cent chance of loss of corporate revenue. prominent comprehensive review of related literature and professional reports of Research paper that helps me to work in the cyber-attacks. 4. ANALYSIS REPORT

Predicate: Understand risk, know attack surface and With the help of Symantec Endpoint Protection and Uncover weak spots. Trend Micro Officescan at PSU Organization, we analyze: Prevent: Minimize the attack surface, prevent incidents. 1. Daily Detected wannacry ransomware in Respond: data breaches, mitigation, analyze and learn. Organization Network. Detect: Recognize, identify and handle events and 2. With Symantec Endpoint Protection, threats. Ransom.wannacry detected 3. Mostly found Wannacry in extensions in Trend 3. PROBLEM STATEMENT Micro Officescan like:

Ransomware attack hacks confidential business and 1. Ransom_WCRY.DAM, personal data and asks for ransom in the return of 2. Ransom_WC hacked or encrypted data. Around the world, Ransomware attacks cost businesses millions and millions of money.

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

8. Configure installing Enhanced Mitigation Experience Toolkit or similar Host-level anti- exploitation tools. 9. Disable macros in Microsoft products. Specific countermeasures to prevent Ransomware attack: Organizations IT administrators are advised to use the following preventive measures to protect their computers from ransomware malware attacks: 1. Symantec and TrendMicro offices cannot be supported in Windows XP. Up-to-date with the latest operating system. 2. To apply Microsoft security patches to prevent ransomware infection such as Microsoft Security Bulletin MS17-010. 3. In Windows XP, Vista, Server 2003, Server 2008, Microsoft patches not supported. Figure 2.Wannacry Detection 4. Regularly backup of critical data to prevent data Prevention Tool Used:- loss. TrendMicro Ransomware Screen Unlocker tool. 5. Disable SMBv1 or block SMB port (UDP 137, 138 and Microsoft Enhanced Mitigation and Experience toolkit TCP 139,445). (EMET). 6. Enable IDS/IPS feature of Firewall and Antivirus to Malwarebytes Anti-Ransomware (formally Crypto prevent attacks. Monitor). 6. Conclusion & Future Scope 5. METHODOLOGY In this research, the goal to improve malware detection, Best Practices to prevent ransomware attacks: prevention, and mitigation. Using the method to reduce damage caused by ransomware attacks and techniques 1. Keep up to date with the new updates on the to minimize the ransomware attack loopholes in the operating system, third party software (MS network. Office, Browsers, and Browser plugins).Disable In the Future, It will help to find malware more effective remote Desktop Connections. way with upcoming new technology and easy to minimize organization losses due to ransomware. Also, 2. Enable a personal firewall on workstations. this report motivates new researchers and analytics for 3. Maintain updated Antivirus software on all the decryption of infected files. systems. The main goal of this thesis is to implementing risk with 4. Strict External Device (USB drive) usage policy. the help of machine learning and Python language according to organization research. 5. Restrict permissions for users to install and run inappropriate software applications. Block the References attachments of file types: exe/pif/tmp/url/vb/vbe/scr/reg/cer/pst/cmd/ 1. A Brief Study of Wannacry Threat: Ransomware bat/dll/hlp/hta/js/wsf. Attack 2017- IJARCS Savita Mohrule,Manisha patil, MITACSC, Alandi, Pune, India. 6. Check the contents of backup files of databases 2. Fundamental of Machine Learning for Predictive daily for any unauthorized encrypted contents Data Analytics: Algorithms, Worked Examples, and Case Studies by John Kelleher, Brian Mac Namee, and of data records or external elements, backdoors, Aoife D’Arcy. malicious scripts. 3. Ransomware: A Research and a personal case study 7. Configure access controls with file, directory of dealing with this nasty malware-Azad Ali, Indiana and network share permissions with least University of Pennsylvania. privilege.

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 07 | July 2020 www.irjet.net p-ISSN: 2395-0072

4. Detection of ransomware on windows operating systems-Jaan Priisalu, TALLINN UNIVERSITY OF TECHNOLOGY. 5. Sanggeun Song, Bongjoon Kim, and Sangjun Lee. “The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform”, Hindawi Publishing Corporation Mobile Information Systems Volume 2016, Article ID 2946735, 9 pages. 6. Nikolai Hampton, Zubair A. Baig, “Ransomware: Emergence of the cyber-extortion menace”,The Proceedings of [the] 13th Australian Information Security Management Conference, held from the 30 November – 2 December, 2015 (pp. 47-56), Edith Cowan University Joondalup Campus, Perth, Western Australia. Websites: 1. http://www.catalog.update.microsoft.com/Search.a sp?q=KB4012598 2. https://www.csoonline.com/article/3212260/the- 5-biggest-ransomware-attacks-of-the-last-5- years.html 3. https://www.us-cert.gov/Ransomware 4. https://support.symantec.com/us/en/article.howto 124710.html 5. https://www.symantec.com/connect/blogs/report- organizations-must-respond-increasing-threat- ransomware 6. https://blog.malwarebytes.com/malwarebytes- news/2016/01/introducing-the-malwarebytes-anti- ransomware-beta/ 7. https://esupport.trendmicro.com/en- us/home/pages/technical-support/1105975.aspx 8. http://iisit.org/Vol14/IISITv14p087- 099Ali3400.pdf 9. https://www.medianama.com/2017/08/223- ransomware-india-wannacry-petya/ 10. https://docs.microsoft.com/en- us/windows/security/threat - protection/intelligence/ransomware-malware.